Booking.com breach gives scammers what they need to target guests
None
<p>The post <a href="https://www.malwarebytes.com/blog/data-breaches/2026/04/booking-com-breach-gives-scammers-what-they-need-to-target-guests">Booking.com breach gives scammers what they need to target guests</a> appeared first on <a href="https://www.malwarebytes.com/">Malwarebytes</a>.</p><p>Travel companies love telling you your data is safe. Booking.com just reminded everyone why that’s a hard promise to keep.</p><p>The Amsterdam-based booking giant began notifying customers on April 13 that “unauthorized third parties” had accessed guest reservation data. The compromised information includes booking details, names, email addresses, physical addresses, and phone numbers—essentially everything you’d need to convincingly impersonate a hotel contacting a guest. </p><p>The criminals appear to have accessed the data by compromising Booking.com’s hotel partners. A Microsoft <a href="https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/" rel="noreferrer noopener nofollow">report</a> blames the ClickFix phishing technique, which gets victims (in this case, hotel employees) to install malware disguised a computer “fix.”</p><p>Microsoft blames a criminal group called Storm-1865 for the caper, and caught it running exactly this kind of campaign against hotel workers across across North America, Oceania, South and Southeast Asia, and Europe, deploying nasty malware like <a href="https://www.malwarebytes.com/blog/threat-intel/2025/11/we-opened-a-fake-invoice-and-fell-down-a-retro-xworm-shaped-wormhole" rel="noreferrer noopener">XWorm</a> and <a href="https://www.malwarebytes.com/blog/threat-intel/2026/03/bogus-avast-website-fakes-virus-scan-installs-venom-stealer-instead" rel="noreferrer noopener">VenomRAT</a> through fake CAPTCHA pages. </p><p>Booking.com’s customer notification warned that the exposed data could be used for phishing and said it would never ask for sensitive information or bank transfers. </p><p>But scammers have a proven playbook for turning stolen booking data into cash. They can hijack a reservation by impersonating a hotel, message guests demanding a further payment, or credit card details for “payment verification.” The stolen data gives them everything they need to convince the hotel customer they’re legit.</p><p>The UK’s Action Fraud <a href="https://www.theguardian.com/money/2025/jun/29/your-reservation-is-at-risk-beware-the-bookingcom-scam" rel="noreferrer noopener nofollow">received 532 reports of Booking.com scams</a> like this between June 2023 and September 2024, with victims losing £370,000 (around $470,000).</p><p>This has happened to Booking.com partners and customers before. In 2018, criminals <a href="https://www.express.co.uk/travel/articles/969363/Booking-com-uk-hackers-whatsapp-text-scam" rel="noreferrer noopener nofollow">phished hotel employees</a> and accessed data belonging to Booking.com customers. Scammers also conducted a voice phishing campaign later that year that targeted 40 hotels in the UAE. Over 4,000 customers’ data was stolen, including credit card data from 300 people. Booking.com was late reporting the breach to the Dutch privacy regulator, which <a href="https://www.edpb.europa.eu/news/national-news/2020/dutch-sa-fines-bookingcom-delay-reporting-data-breach_en" rel="noreferrer noopener nofollow">imposed a €475,000 fine</a> (around $560,000) in 2021. </p><h2 class="wp-block-heading" id="h-the-travel-industry-s-recurring-breach-problem"><strong>The travel industry’s recurring breach problem</strong></h2><p>Breaches like these are a pattern in the travel business. In January 2026, Eurail <a href="https://www.theregister.com/2026/01/14/eurail_breach/" rel="noreferrer noopener nofollow">disclosed a breach</a> that spilled passport numbers, addresses, and, for some travelers, photocopies of IDs and health data. KLM and Air France had customer data <a href="https://www.theregister.com/2025/08/07/klm_air_france_latest_major/" rel="noreferrer noopener nofollow">swiped</a> in August 2025. Hertz, Dollar, and Thrifty were all <a href="https://www.theregister.com/2025/04/15/hertz_cleo_customer_data/" rel="noreferrer noopener nofollow">caught</a> in the Cl0p gang’s exploitation of Cleo file transfer software, with criminals pilfering drivers’ licenses and credit card data.</p><p>What’s interesting about all of these incidents is that like the Booking.com data heist, all involve compromise of third parties rather than the travel operations themselves. The travel industry sits on enormous troves of passport numbers, payment cards, and itineraries. And its security posture of sprawling supply chains, franchised operations, and third-party platforms makes it a soft target.</p><h2 class="wp-block-heading" id="h-what-you-can-do"><strong>What you can do</strong></h2><p>How many customers were affected? Booking.com isn’t saying. For a platform with over 100 million active mobile app users and 500 million monthly website visits, that silence is concerning. </p><p>If you’ve used Booking.com recently, here’s the practical guide to protection. Don’t trust messages asking you to “verify” payment details, even if they arrive through the platform itself.</p><p>Here is Booking.com’s own <a href="https://www.theguardian.com/money/2025/jun/29/your-reservation-is-at-risk-beware-the-bookingcom-scam" rel="noreferrer noopener nofollow">advice</a> about these scams, issued before this latest incident: </p><blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p>“If there is no pre-payment policy or deposit requirement outlined, but you’re asked to pay in advance to secure your booking, it is likely a scam.”</p> </blockquote><p>Check your booking confirmation email for what you actually owe and when. If anything seems off, contact the property directly, rather than through a link someone sends you. And watch your bank statements. The scammers who exploit this kind of data don’t always strike immediately.</p><hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"><p><strong>We don’t just report on scams—we help detect them</strong></p><p>Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using <a href="https://www.malwarebytes.com/solutions/scam-guard">Malwarebytes Scam Guard</a>. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with <a href="https://www.malwarebytes.com/premium" rel="noreferrer noopener">Malwarebytes Premium Security</a> for all your devices, and in the <a href="https://www.malwarebytes.com/mobile">Malwarebytes app for iOS and Android</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/04/booking-com-breach-gives-scammers-what-they-need-to-target-guests/" data-a2a-title="Booking.com breach gives scammers what they need to target guests"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fbooking-com-breach-gives-scammers-what-they-need-to-target-guests%2F&linkname=Booking.com%20breach%20gives%20scammers%20what%20they%20need%20to%20target%20guests" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fbooking-com-breach-gives-scammers-what-they-need-to-target-guests%2F&linkname=Booking.com%20breach%20gives%20scammers%20what%20they%20need%20to%20target%20guests" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fbooking-com-breach-gives-scammers-what-they-need-to-target-guests%2F&linkname=Booking.com%20breach%20gives%20scammers%20what%20they%20need%20to%20target%20guests" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fbooking-com-breach-gives-scammers-what-they-need-to-target-guests%2F&linkname=Booking.com%20breach%20gives%20scammers%20what%20they%20need%20to%20target%20guests" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fbooking-com-breach-gives-scammers-what-they-need-to-target-guests%2F&linkname=Booking.com%20breach%20gives%20scammers%20what%20they%20need%20to%20target%20guests" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.malwarebytes.com/">Malwarebytes</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Malwarebytes">Malwarebytes</a>. Read the original post at: <a href="https://www.malwarebytes.com/blog/data-breaches/2026/04/booking-com-breach-gives-scammers-what-they-need-to-target-guests">https://www.malwarebytes.com/blog/data-breaches/2026/04/booking-com-breach-gives-scammers-what-they-need-to-target-guests</a> </p>